Internal control is one of the basic prerequisites for a business, and refers to the regulatory framework that organisations follow in order to function. This can be anything from ensuring that your business gets paid for its services, to making sure an invoice is paid correctly and on time.

All businesses have some form of internal control, even if they’re not explicit and are entirely informal. Normally, and for most businesses, there are usually standardised rules for the processes and procedures involved, and typically these are supplemented by some form of control activity level, such as an authorisation flow to check an incoming invoice. For many companies, internal control – even if it’s explicit and standardised to an extent – doesn’t isn’t always documented, monitored or optimised.

Enhancing and improving internal control has become increasingly important, mainly due to major and recurring incidents in business and society, crimes and deficiencies in businesses that the general public gets to hear about, are reported on in the media and even taken to court. Let’s take a look at the concept!

All businesses have some form of internal control, so it’s important to define the degree to which it exists so that we can define expectations later on how it can be improved. Not everything in an organisation needs to be formalised and controlled for internal control to improve. Rather, it’s all a matter of identifying and managing the most relevant and critical risks to the business, and defining effective controls in order to move the maturity of the business towards internal control.

COSO

The COSO framework is a well-known model for evaluating, implementing and reviewing an organisation’s internal control and governance when it comes to operational objectives, reporting and compliance with laws and regulations. This model consists of 5 components – Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring Activities – which in turn are described using 17 principles.

Evaluating processes and procedures against this framework can give the business a good understanding of its current situation and maturity.

Control
Environment

The organization demonstrates a commitment to integrity and ethical
values.

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk
Assessment

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

The organization identifies and assesses changes that could significantly affect the system of internal control.

Control
Activities

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

The organization selects and develops general control activities over technology to support the achievement of objectives.

The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information &
Communication

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring
Activities

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Maturity level for internal control

The maturity of the business in terms of internal control can be assessed on the basis of the COSO framework and the 17 principles. This assessment aims to define how well formulated the control functions within the business are, and need to be. Maturity can be divided into 5 levels, each level providing an increased assurance that the prevailing internal control structure is able to identify significant deficiencies and nonconformities in time.

 

Undefined

 

Fundamental

 

Standardized

 

Monitored

 

Optimized

The maturity level for internal control starts at an undefined level with a very high risk of nonconformities, or even the complete absence of a control and governance structure. From this level, the scale then extends gradually towards a basic, standardised, monitored and finally optimised level. A higher level of maturity means that internal control is an increasingly integral part of the business, with controls that are highly likely to prevent and remedy deficiencies, risks, errors and mistakes.

The challenge for most businesses is to define, on the basis of the level of maturity, a relevant short and long-term internal control objective linked to the needs and risks perceived by the business . The level of ambition is defined from meeting only basic needs with a minor impact on the business, to an optimised environment where nonconformities are highly likely to be identified.

How automation increases the maturity level for internal control

With an identified maturity level and an objective for internal control established in the business, smart automation tools are available that can be used to achieve the set targets effectively. This can range from automation for following up on established processes and procedures and ensuring they’re working, to partially or entirely replacing manual processes that don’t add value and that nevertheless cause risks and costs for the business.

Controlling payments and suppliers is a good example of automation that effectively moves the level of maturity of the business significantly up the maturity scale, and has important effects…

Here are some of the effects…

Identify risks associated with financial crime, such as scam companies and fraud.

Increase security for colleagues and staff, avoid misunderstandings and mistrust.

Receive acknowledgement and confirmation that processes and procedures are working properly.

Ensure compliance with laws and regulations, reduce the risk of costs in the form of fines, or legal proceedings.

The ability to act proactively on mistakes and errors before they occur.

Consistent, clear processes that enhance efficiency.

Good internal control solutions

Inyett Trust Analysis
Analysing people with secondary occupations

Inyett Register Analysis
Analysing suppliers and registers

Inyett Payment History Analysis
Analysing historical payments.

Support